Pwn2Own黑客大赛最后一天 Chrome坚持到了最后。
来源:互联网 发布:学生收费软件 编辑:程序博客网 时间:2024/06/09 02:53
原文:http://readsomestory.blogspot.com/2009/03/chrome-only-browser-left-standing-after.html
Browser vendors often make strong claims about their responsiveness to vulnerability reports and their ability to preemptively prevent exploits. Security is becoming one of the most significant fronts in the new round of browser wars, but it's also arguably one of the hardest aspects of software to measure or quantify.
A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators.
Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.
The contest awards security researchers with hardware and cash prizes for finding efficient ways to trick browsers into executing arbitrary code. During the first day of the competition, the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks. Researchers typically prepare for the event far in advance by finding zero-day exploits ahead of time.
Early this month, prior champion Charlie Miller told reporters that he would be attempting to exploit a Safari vulnerability on Mac OS X. Safari, he said, would be the first to succumb to the contestants. As he promised, Safari went down first: he was able to execute his prepared hack in only a matter of seconds. Another security expert known only as Nils took longer, but was able to successfully exploit all three of the most popular browsers.
These contests contribute to the growing culture of commercialism that surrounds the art of exploitation. In an interview with ZDNet, Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year.
Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free.
"I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."
Miller also told reporters that he targeted Safari on Mac OS X because he believes that it is the easiest to exploit. Windows, on the other hand, he claims is tougher because of its address randomization feature and other security measures. As for Chrome, he says that he has identified a security bug in Google's browser but has been unable to exploit it because the browser's sandboxing feature and the operating system's security measures together pose a formidable challenge.
The game isn't over yet. During the second day of the event, the focus will turn towards Chrome. Nils, who demonstrated impressive skill during the first day by conquering the three most popular browsers, might have a few more tricks up his sleeve. According to the official rules, the participants will be permitted to use plugins during the second day.
PWN2OWN黑客大赛2009到底有哪些猛料?
- Pwn2Own黑客大赛最后一天 Chrome坚持到了最后。
- Pwn2Own黑客大赛仅用五分钟攻陷Chrome
- 但他坚持扛到了最后
- 总算到了今年最后一天班
- 71分!腾讯安全战队提前一天锁定Pwn2Own黑客大赛总积分冠军
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 最后一天
- 马云笑到了最后
- 2016,还是到了最后
- 揭秘Pwn2Own黑客大赛冠军基因:腾讯安全实验室模式
- 2004年最后一天
- 利用U盘安装Windows XP系统?
- 关于JAVA 中使用 log4j 的过程
- 演练:实现 UI 类型编辑器
- 轻松几步获得上万点击率(三)
- 当前就业最好的20所大学(附 各个学校的最容易就业的专业)
- Pwn2Own黑客大赛最后一天 Chrome坚持到了最后。
- Torque引擎系列
- C# 参考之方法参数关键字:params、ref及out
- Using typedef to Curb Miscreant Code
- 【转帖】浅谈对外包行业与外包公司的认识
- 关于MSsql安装中windows登陆和混合模式登陆的切换
- 测测你的身体缺少什么维生素
- 总结最全的内存管理文章
- 初始WindowsFormApplication